Open Security Development Lifecycle

We need a no-frills and roughly-right life-cycle to raise our level of software Security Assurance. Right now there are several security life-cycles both in the wild and available through vendors. None of those attend to the full spectrum of security and risk needs. Most are heavily centered around software testing but the security umbrella is much larger than that. Maybe more importantly development and delivery methodologies have changed drastically over the last couple of years.

Why Go Hugo?

For years I have worked with WordPress along with its themes, plugins, and vulnerabilities. I even purchased a couple of themes. Yes, WP can make a pretty site but at the end of the day I spent a lot of time working on WP and not working on content. It was time to move on to a different way of publishing. There were a several reasons that I moved from a dynamic site to a static site.

Why Architect

ar chi tect: (v) design and make

Think about landscaping your front yard. It is a lot more than just the sod or a couple of bushes. The overall look of your front yard comes from the color of your house, the looks of your house, the sidewalk, the driveway, the trees, and the shrubbery. It matters all the way down to how your grass has been mowed. If you are going for a particular look you had better be thinking about these things a little bit up front and not just letting each and every service implement their part of the yard without some larger vision.

Control by Control

You don’t read the glossary because no one reads that but how often do you jump straight to the end of a document to read an appendix? Be truthful. Well maybe you don’t but sometimes you really should. Building the Tower Information Security controls have been a hot topic lately. Actually the discussion has been more around the lack of controls or how poorly the controls were implemented. In the InfoSec industry there are lots of definitions for these controls.

Security Capabilities

Being Capable We talk a lot in security world. Most of the time we seem to talk about all the possibilities when we need to talk more about what we can actually do. What are we capable of doing? We do we need to be capable of doing? Being Capable with Capabilities When we want to talk with our partners, whether those partners are business-related, very technical or just your managers, you need some consistent way to describe what security does.

Ecstatic Over Static Passwords

Well maybe not ecstatic but it is pretty exciting that I have been carrying around a way to house a strong static password and didn’t even realize it. I have had a Yubikey for over a year now and have used it successfully with LastPass. A YubiKey is a handy USB or Near Field Communications (NFC) device that can generate a variety of authentication responses. The default is a One Time Password (OTP) that can be verified via a server running the Yubico software.

Architect from Hole in the Ground

Well maybe that is a little extreme but sometimes titles do seem to get twisted up especially in our title-laden world. My title Security Architect has the word Architect in it but how closely related is that to an Enterprise Architect? Are we second-cousins three times removed or are we just not related at all? The Roles It might make more sense to work through the main types of roles you might see on a daily basis.


Data breaches cost over $150 per record. An identity is stolen every 3 seconds. DDoS attacks are up over 43% this year alone. Some random statement on how poor most passwords are these days. Does this droning sound like what is driving your security program? Even though these facts are true they may not win the hearts and minds of your security decision makers. Everyone seems to have these facts these days so in a way they are becoming background noise.

Order of Things

Sequence Diagrams I am not a huge fan of traditional UML diagrams for long term documentation. Most diagrams are quickly rendered old and useless. There are times though when you need to convey the sequence of operations between several entities. It is hard to beat the Sequence Diagram for those situations. There are plenty of tools that let you build some very sophisticated Sequence Diagrams. I try to avoid spending more time building a Sequence Diagram than it would take to write the code behind the diagram.